Skip to main content
ac1
ac1
Explorer III
September 26, 2022
Solved

Shared Policy Package: how to handel remote certificate and user SAML?

  • September 26, 2022
  • 4 replies
  • 3283 views

Dear all,

I've recently imported three FortiGate v7.2.1 on dedicated ADOM on FortiManager v7.2.1.

I follow this KB:       Technical Tip: Adding FortiGates to shared Policy ... - Fortinet Community

 

FortiGate 1 is the member I started from to make the policy package.

And all works fine, but when I try to deploy new policy there is an error in FortiManager  on FortiGate 2 and 3:

 

FortiGate 2

Post vdom failed: error :131 - datasrc invalid. object: user saml.ssl-azure-saml:idp-cert. detail: REMOTE_Cert_3. solution: data not exist

 

FortiGate 3

Post vdom failed: error :131 - datasrc invalid. object: user saml.ssl-azure-saml:idp-cert. detail: Remote_Cert_4. solution: data not exist

 

It seems not to exist the Remote Certificate associated on SAML user account, but I see this certificate in FortiGate and in device DB on FortiManager.

Unfortunately I noticed that it is not possible to make a dynamic object for this Remote Certificate object.

 

I also noticed that the configuration of the SAML FortiGate 2 and 3 user was overwritten at the first synchronization of the policies. I had to reconfigure the relative settings from the FortiManager CLI to restore the authentication of the VPNSSL.

 

How should I manage the Remote Certificate and the SAML user configuration if I have a shared policy package within the same ADOM?
What other actions can I take to investigate the problem further?

 

thanks

ac1

Best answer by ac1

I solved by importing the certificates on FortiManager using the setting for "Per-Device" so as to obtain 3 different configurations for each device related to the SAML user.

4 replies

Anthony_E
Staff
Anthony_E
Staff
September 29, 2022

Hello ac1,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
October 2, 2022

Hello ac1,

 

Could you please have a look into this document please?:

 

https://docs.fortinet.com/document/fortimanager/6.2.1/administration-guide/981386/saml-admin-authentication

 

Regards,

Best Regards
Markus_M
Staff & Editor
Markus_M
Staff & Editor
October 2, 2022

Hi ac1,

 

you can try to import the certificate by FortiManager CLI and give this a distinct name as in not REMOTE_CERT_1 or what the default is, but something like "SAML_Remote_Cert". Writing and overwriting even should work.

IF there is a problem finding that number _3 etc, check the command set on the FortiGate directly.

config user saml

edit saml_server_name

set idp_cert ? (question mark to show what the available datasource entries are)

 

Best regards,

 

Markus

    ac1
    ac1AuthorAnswer
    Explorer III
    October 22, 2022

    I solved by importing the certificates on FortiManager using the setting for "Per-Device" so as to obtain 3 different configurations for each device related to the SAML user.

    Terms & ConditionsAccessibility statement